If the user is not signed in, CurrentUser will be null.
But that won't stop you from checking permissions, which is how you should add security to your module.
To see how Permissions work, have a look at Orchard.Blogs, specifically the Permissions class. Look for references to these defined permissions to see how they are enforced.
Note: when the user is not loggedin, the Anonymous role is in effect.

You should not in most cases. If you want to restrict security, permissions are definitely the way to go. If you want to present different experiences to different roles, then yes, maybe, but keep in mind that roles are not guaranteed to exist, as they
can be modified, deleted and created by the site admin. Also, don't tell them apart by id (those are not guaranteed), but by name.